DATABASICS Time & Expense Blog

If You Work With EU Data, You Need To Read This: A GDPR Cheatsheet

A lot of talk lately has been about the GDPR (General Data Protection Regulation) and that’s because not only is it important, but the deadline for becoming completely compliant is coming up in a little more than six months.

What is the GDPR?

In essence, the GDPR is a new set of laws that protect the data of European Union citizens. The new law, set to go live on May 25th, 2018, affects any organization of any size that collects, stores, and/or transfers the personal data of any EU residents.

If that sounds broad, that’s because it is. The law is meant to be all-encompassing so that companies take more care with data.

Why does it matter?

Fines for non-compliance are potentially so severe that they could constitute an extinction event for many companies. If you manage to survive a fine, the black mark that the fine gives you may make recovery even more difficult. As Lenos founder and CEO Debbie Chong said in an October 2, 2017 interview with BTN, “Beyond the fine itself, think about company perspective. If a company gets fined, everyone is going to start looking and saying, ‘What else did they do?’”

To make matters worse, the requirements for becoming compliant can be very complicated. That’s why, even though the law doesn’t go into effect for some time yet, many companies are already hard at work to make the required changes.

On the positive side, certified compliance with the GDPR could prove a valuable differentiator as far as company image:

What are the key changes of the law?

Consent is essential and needs to be made easy to give and revoke: The conditions that qualify as consent are now more stringent. The language providing consent has to be read-able and user-friendly enough for the average person to understand. This can even mean that your consent forms are so specific that each piece of data has to be given freely. In practical terms, that might look like a checkbox providing consent beside the field for name, then another box beside the field for address, and so on for each kind of data. Also important is that consent needs to be easily revocable, the method for revoking data consent should be clear, and the process should be easy.

More individuals and companies are included than ever before: This change was made specifically to protect more data and hold more companies liable for their role in protecting that data. The law is clear that whether or not the actual business takes place within the European Union, the law still applies if the data of European Union citizens is involved.

The consequences of not being compliant can be truly staggering: The specific numbers are “up to 4% of annual global turnover or €20 Million (whichever is greater!).” The Information Commissioner’s Office claims that the goal is not to frighten businesses into compliance; instead the law is meant to lead to “greater transparency, enhanced rights for citizens and increased accountability.” Regardless of the intent of the law, the fines are indisputably intimidating.

Certain organizations will need to implement a DPO (Data Protection Officer) and DPIAS (Data Protection Impact Assessments): This practical change puts a specific person in charge of ensuring that compliance remains a priority. The assessments also demonstrate that high risk-data processing activities need to meet more stringent protection requirements.

What’s the difference between the GDPR and the existing EU-U.S. and Swiss-U.S. Privacy Shield?

The Privacy Shield was designed to establish standards and a certification process for the transfer of information relating to EU persons outside of the EU. Companies can self-certify (which typically involves hiring a third-party specialist) to the U.S. Department of Commerce to publicly announce compliance.

The GDPR covers more than cross-border data transfers and, as one expert—Kevin Iwamoto at GoldSpring Consulting—says in BTN, may eventually subsume or replace Privacy Shield.

Privacy Shield has faced challenges in European courts, so it was given a deadline of September 2017 to prove that it was robust enough to fix the problems for which EU Safe Harbor was struck down by the EU courts in 2016. However, new challenges about Privacy Shield might become less important because of the GDPR. For now, Privacy Shield remains intact and its fate has not been officially determined.

What’s next?

If you manage or plan to manage data of any kind related to EU persons, from names to job titles to email addresses where the individual can be directly or indirectly identified, then you should immediately take the first steps to becoming compliant if you have not already done so. It’s a lot of work and will probably entail significant process change. It’s not the kind of the thing you can do yourself, so you will need to engage one of the growing number of consultancies that specialize in GDPR compliance. More specific information can be found on the official site, including specific language from the written law and updates.

Keep in mind that many kinds of people in your organization will have a role to play in ensuring compliance. Marketers, for example, are also included in what could sound like an IT- or administrative-only task. This checklist for marketers from e-shot provides a to-do list for preparing for these changes. HR will also need to get involved, which is why HR leaders might find the GDPR-ready assessment from XCD helpful.

Because the deadline looms ever near, talk of the GDPR will become more common, especially as companies around the world strive to follow stringent compliance regulations. Be wary of GDPR fatigue, as one data protection blogger describes it, so that you stay on guard and ready for the changes to come.

On the opposite side of the spectrum, if you’re feeling up to speed, try out your knowledge with a GDPR quiz.

DATABASICS is relied upon by leading organizations representing all the major sectors of the global economy: financial services, healthcare, manufacturing, research, retail, engineering, non-profits/NGOs, technology, federal contractors, and other sectors.

DATABASICS provides cloud-based, next generation Expense Reporting, Timesheet Management, and Invoice Processing automation to customers in all industries in more than 140 countries. Specializing in meeting the most rigorous requirements, DATABASICS offers the highest level of service to its customers around the world. Contact Sales | Request A Quote